Target IP: 10.129.205.158
Challenge Description: N/A.
Performing a port scan using the command sudo nmap -sS 10.129.205.158 -p- returns there are two TCP ports open on the target machine: SSH and HTTP, as shown above. I will perform an aggressive port scan against these two TCP ports to identify its services.
I performed an aggressive port scan using the command sudo nmap -sV -A 10.129.205.158 -p 22,80 and obtained the result shown above. There is an interesting web application on port 80 by the looks of it. I will start enumeration there.
Running whatweb against the HTTP application using the command whatweb http://10.129.205.158 against the target machine shows the target machine is using the domain name topology.htb. I will insert this hostname inside my /etc/hosts first. I will also perform a subdomain enumeration using ffuf to identify any subdomains too.
I performe a subdomain enumeration with the command ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.topology.htb" -u http://topology.htb -fs 6767 and successfully identified two subdomains: dev.topology.htb and stats.topology.htb. Time to insert these new hostnames inside my /etc/hosts file.
Now my /etc/hosts file contains the entry shown above. Time to begin with the enumeration now.
Port 80: HTTP (topology.htb)
The webpage above is displayed for this web application. Right away, I notice the web application is mostly static. However, there is also an interactive feature with the name LaTeX Equation Generator under the Software Projects, as shown above. When I hover over this hyperlink, I get the hostname latex.topology.htb. I will insert this new hostname inside my /etc/hosts file too.
Port 80: HTTP (latex.topology.htb)
The interactive feature of the web application is located under this subdomain. The main webpage is shown above. I notice I can insert latex code to generate equations. If the Latex application is vulnerable to command injection, maybe I can obtain an RCE? Hmm... Before attacking the web application, I wish to enumerate further to find more information about it. I tested the web application and it seems to work. Inputting LaTeX code generates it into an image file.
After searching for payloads online that I can use to perform command execution, I found the working payload to read the /etc/passwd file: $\lstinputlisting{/etc/passwd}$, as shown above. I notice there is a user called vdaisley. Maybe I can read this user's SSH key? However, I had no luck. From previous enumeration, I found dev.topology.htb required me to login. Maybe I can read the .htpasswd instead using the same payload?
And bingo! I successfully read the .htpasswd file contents using the payload $\lstinputlisting{/var/www/dev/.htpasswd}$. Time to copy the password hash to my machine and crack it using john.
I copied the password hash $apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0 to a file called hash on my machine. Then using the command john hash --wordlist=/usr/share/wordlists/rockyou.txt, I managed to crack it and obtain the password calculus20 as shown above. Now I have the credentials vdaisley:calculus20. Time to access the dev.topology.htb as this new user now.
Port 80: HTTP (dev.topology.htb)
I browsed to dev.topology.htb and input the new credentials to sign in, as shown above.
After logging in successfully, the webpage above was presented to me. I notice there is another button under the LaTeX Equation Generator projects section. Maybe I can obtain more information about the web application itself, like the application version? Hmm...
I notice there are interesting files located inside this project directory, as shown above. However, I did not find anything useful. I did find the setup used by the web application, such as the packages. Time to test the credentials against the SSH application on port 22 now.
And bingo! I successfully logged in as the user vdaisley via the SSH on port 22, as shown above. Now I have a foothold on the target machine as this user :)
After some manual enumeration, I decided to transfer pspy64 to the target machine and run it. After executing it, I notice the unusual cronjob shown above. The directory /opt/gnuplot/ seems to contain a few interesting scripts shown above. I find the script getdata.sh at this directory interesting the most. However, I notice I am unable to access this script as its owned by the user root. I notice the cronjob is looking for .plt files inside the /opt/gnuplot directory. And it is being executed by the binary gnuplot as root. Maybe I can create a malicious plt file to execute system commands?
Obtaining a root shell is straight forward. To execute system commands by gnuplot, I used the command system. Using the command echo "system 'chmod u+s /bin/bash'" > /opt/gnuplot/shell.plt, I managed to elevate my privileges to a root user for /bin/bash binary. After waiting a minute, I executed the command /bin/bash -p to spawn a root shell as shown above. GG.
The two flags are shown above.